Internet and Intranet Fundamentals Class 9 Session A.

Slides:



Advertisements
Similar presentations
Guide to Network Defense and Countermeasures Second Edition
Advertisements

IUT– Network Security Course 1 Network Security Firewalls.
FIREWALLS Chapter 11.
Firewalls Dr.P.V.Lakshmi Information Technology GIT,GITAM University
1 Topic 2 – Lesson 4 Packet Filtering Part I. 2 Basic Questions What is packet filtering? What is packet filtering? What elements are inside an IP header?
FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.
FIREWALLS The function of a strong position is to make the forces holding it practically unassailable —On War, Carl Von Clausewitz On the day that you.
NCAR National Center for Atmospheric Research 1 Security At NCAR Pete Siemsen National Center for Atmospheric Research November 22, 1999.
Security Firewall Firewall design principle. Firewall Characteristics.
Firewalling Techniques Prabhaker Mateti. ACK Not linux specific Not linux specific Some figures are from 3com Some figures are from 3com.
Network Security Topologies Chapter 11. Learning Objectives Explain network perimeter’s importance to an organization’s security policies Identify place.
Lecture 25: Firewalls Introduce several types of firewalls
Principles of Information Security, 2nd Edition1 Firewalls and VPNs.
5/4/01EMTM 5531 EMTM 553: E-commerce Systems Lecture 7b: Firewalls Insup Lee Department of Computer and Information Science University of Pennsylvania.
Standard, Extended and Named ACL.  In this lesson, you will learn: ◦ Purpose of ACLs  Its application to an enterprise network ◦ How ACLs are used to.
Electronic Commerce 2. Definition Ecommerce is the process of buying and selling products and services via distributed electronic media, usually the World.
Firewall Raghunathan Srinivasan October 30, 2007 CSE 466/598 Computer Systems Security.
Firewalls1 Firewalls Mert Özarar Bilkent University, Turkey
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
Firewall 2 * Essential Network Security Book Slides. IT352 | Network Security |Najwa AlGhamdi 1.
Firewall and Proxy Server Director: Dr. Mort Anvari Name: Anan Chen Date: Summer 2000.
1 Lecture 20: Firewalls motivation ingredients –packet filters –application gateways –bastion hosts and DMZ example firewall design using firewalls – virtual.
Firewalls: General Principles & Configuration (in Linux)
FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.
Internet/Intranet firewall security – policy, architecture and transaction services Written by Ray Hunt This presentation will Examines Policies that influence.
Hafez Barghouthi. Model for Network Access Security (our concern) Patrick BoursAuthentication Course 2007/20082.
CS426Fall 2010/Lecture 361 Computer Security CS 426 Lecture 36 Perimeter Defense and Firewalls.
Packet Filtering. 2 Objectives Describe packets and packet filtering Explain the approaches to packet filtering Recommend specific filtering rules.
Why do we need Firewalls? Internet connectivity is a must for most people and organizations  especially for me But a convenient Internet connectivity.
Intranet, Extranet, Firewall. Intranet and Extranet.
January 2009Prof. Reuven Aviv: Firewalls1 Firewalls.
Chapter 6: Packet Filtering
Chapter 11 Firewalls.
Internet and Intranet Fundamentals Class 8 Session A.
8: Network Management1 Firewalls. 8: Network Management2 Firewalls Two firewall types: m packet filter m application gateways To prevent denial of service.
FIREWALLS Vivek Srinivasan. Contents Introduction Need for firewalls Different types of firewalls Conclusion.
11 SECURING YOUR NETWORK PERIMETER Chapter 10. Chapter 10: SECURING YOUR NETWORK PERIMETER2 CHAPTER OBJECTIVES  Establish secure topologies.  Secure.
Packet Filtering Chapter 4. Learning Objectives Understand packets and packet filtering Understand approaches to packet filtering Set specific filtering.
1 Firewalls G53ACC Chris Greenhalgh. 2 Contents l Attacks l Principles l Simple filters l Full firewall l Books: Comer ch
1 Topic 2: Lesson 3 Intro to Firewalls Summary. 2 Basic questions What is a firewall? What is a firewall? What can a firewall do? What can a firewall.
© 2006 Cisco Systems, Inc. All rights reserved. Cisco IOS Threat Defense Features.
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved. CNIT 221 Security 1 ver.2 Module 6 City College.
Security fundamentals Topic 10 Securing the network perimeter.
1 Firewall Rules. 2 Firewall Configuration l Firewalls can generally be configured in one of two fundamental ways. –Permit all that is not expressly denied.
Firewalls2 By using a firewall: We can disable a service by throwing out packets whose source or destination port is the port number for that service.
1 An Introduction to Internet Firewalls Dr. Rocky K. C. Chang 12 April 2007.
Role Of Network IDS in Network Perimeter Defense.
SYSTEM ADMINISTRATION Chapter 10 Public vs. Private Networks.
IP packet filtering Breno de Medeiros. Florida State University Fall 2005 Packet filtering Packet filtering is a network security mechanism that works.
Lecture 12 Page 1 CS 136, Spring 2009 Network Security: Firewalls CS 136 Computer Security Peter Reiher May 12, 2009.
Firewalls. Overview of Firewalls As the name implies, a firewall acts to provide secured access between two networks A firewall may be implemented as.
Chapter 8.  Upon completion of this chapter, you should be able to:  Understand the purpose of a firewall  Name two types of firewalls  Identify common.
Lecture 9 Page 1 CS 236 Online Firewalls What is a firewall? A machine to protect a network from malicious external attacks Typically a machine that sits.
Security fundamentals
Firewall Techniques Matt Cupp.
Firewall.
Firewalls.
Computer Data Security & Privacy
Prepared By : Pina Chhatrala
Firewall – Survey Purpose of a Firewall Characteristic of a firewall
6.6 Firewalls Packet Filter (=filtering router)
Lecture # 7 Firewalls الجدر النارية. Lecture # 7 Firewalls الجدر النارية.
* Essential Network Security Book Slides.
Firewalls Purpose of a Firewall Characteristic of a firewall
POOJA Programmer, CSE Department
دیواره ی آتش.
Firewall.
Firewalls.
Firewalls Chapter 8.
Session 20 INST 346 Technologies, Infrastructure and Architecture
Presentation transcript:

Internet and Intranet Fundamentals Class 9 Session A

Topics Firewalls (continued)

Firewalls (Continued) Bastion Hosts Packet Filtering

Bastion Hosts Public Presence on the Internet The “Lobby” Analogy Public Exposure Implies Increased Security Requirements –focus special attention on building a Bastion host –host security some principles apply to other hosts as well

Bastion Hosts Various Types Non-routing Dual-homed Hosts –make sure they are non-routing! Victim Machines –sacrificial goat –don’t let users put valuables on them Internal, semi-Bastion Hosts –inside the firewall –communicate with external bastion

Bastion Hosts General Design Guidelines Minimize the Number of Services Provided –keep it simple, scholar –server software may have bugs that can be exploited Expect Bastion Host to be Compromised –expect the worst and plan for it –most likely to be attacked –bastion host considered untrusted host

Bastion Hosts What Platform? –Unix, NT, etc. ? Criteria –your experience –firewall tools availability Class of Machine –minimal –not a supercomputer –RAM more important than CPU

Bastion Hosts Location Physical Location –safe Network Location –preferably on a perimeter network –or a network not susceptible to spoofing ATM, Ethernet switch

Bastion Host Services Proxy and Relay Services –HTTP Proxy –SMTP Server –NNTP Server –FTP Server Public Services –HTTP –SMTP

Bastion Hosts Construction Steps Secure the Machine –start with minimal, clean operating system –fix all known system bugs –use a security checklist –safeguard the system logs requires lots of logging

Bastion Hosts Construction Steps Disable Non-required Services Install or Modify Services Reconfigure Machine from Development to Deployment Perform Security Audit Connect Machine to Network

Packet Filtering Topics What is it? Advantages and Disadvantages Configuring a Packet Filtering Router Various Kinds of Filtering

Packet Filtering What is it? Selectively reject IP packets based on: –source address –destination address –incoming physical port –tcp application port

Packet Filtering Advantages and Disadvantages Advantages –one router protects an entire network –doesn’t require user knowledge or cooperation –widely available Disadvantages –current filtering tools not perfect can be hard to configure, test, and maintain may have bugs –some protocols don’t lend themselves to filtering

Packet Filtering Configuring a PF Router Protocols Bidirectional Inbound vs. Outbound Semantics –packets vs. services –think “packets” Default Security Policy –permit or deny? Returning ICMP Error Codes –destination unreachable, for example

Various Kinds of Filtering Rules –Direction –Source Address –Destination Address –ACK Set –Action

Various Kinds of Filtering Rules

Various Kinds of Filtering Risks of Address Filtering Address Forgery –source does not hope to get any packets back –man-in-the-middle must intercept return packets must alter network topology to get in the middle

Various Kinds of Filtering Filtering by Service More Complicated TELNET –outgoing local host’s IP source address remote host’s IP destination address TCP packet type TCP destination port is 23 content: your keystrokes

Various Kinds of Filtering Filtering by Service TELNET –incoming remote host’s IP source address local host’s IP destination address TCP packet type TCP source port is 23 TCP destination port is same as prior source port ACK set

Various Kinds of Filtering Filtering by Service TELNET –Rules permit output on port 23 permit inbound on port 23 if ACK is set deny both outbound and inbound for everything else –default rule Risks –some other service on port 23?